[shib_auth] Autocreating users, subject to attributes satisfying certain conditions.

[Christopher Hoskin]

Hello,

We have shib_auth working such that users can authenticate through our IdP. The first time a user authenticates, a Drupal account is created for them with no roles assigned.

I see that with shib_auth it is possible to assign roles based on Shibboleth attributes. I was wondering if it was possible to prevent a Drupal account from being created at all unless the Shibboleth attributes have certain values?

The way I've been achieving this so far is in the Apache config e.g.:

        <Location />
                AuthType shibboleth
                ShibRequireSession On
                ShibUseHeaders On
                #Only allow access if orgunit-dn matches one of the following
               require shib-attr orgunit-dn oUnitCode=unit1,ou=units,dc=example,dc=org
               require shib-attr orgunit-dn oUnitCode=unit2,ou=units,dc=example,dc=org
        </Location>

However, I'd also like to use lazy sessions (i.e. ShibRequireSession Off) at which point, this stops working.

Thanks.

Christopher Hoskin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.niif.hu/pipermail/shib_auth/attachments/20150203/10d3b45f/attachment.html>